The ravings of a SANS/GIAC GSE (Compliance & Malware)
For more information on my role as a presenter and commentator on IT Security, Digital Forensics Statistics and Data Mining;
E-mail me: "craigswright @ acm.org".

Dr. Craig S Wright GSE

Followers

My Profile

Share it

What is happening

BooksI have a few books and another is on the way for 2012. Firstly, I have to plug the first in the Syngress Series of books on IT Audit. This is a comprehensive compliance hand governance handbook with EVERYTHING (from the high level to the hands on for the expert) to get you started in IT compliance and systems security. The main book is "IT REGULATORY AND STANDARDS COMPLIANCE HANDBOOK". This is the first in a series I have planned and more will follow in time. There will be electronic updates to this book over time to maintain it to a current level over time.

I will be working on co-authoring a book on CIP (Critical Infrastructure Protection) - but more on this later.

On top of this I recycle computers. To do this I take 1.5 to 2 year old corporate lease computers and refurbish them so that they can run the most current programs.

The question is - what do you do to help?

If you do not have the time, have you though about a donation?

This blog has been monetarised. This is where the money goes. By clicking and purchasing on this site, you help Burnside and Hackers for Charity. All monies earned here are split 50/50 between these two charities.

Who I am...or what...

Visitor locations

Wednesday, 25 June 2008

Outsourcing is a process of acquiring services from an external party. In the strictest of legal senses, all companies outsource. The statement makes the most sense when you understand that a company can only act through its employees and directors. The company is not an independent entity with a will of its own. Employees are sourced from a location external to the organisation and can for the most part, leave with little effort.

In addition, services that do not have as much of a strategic focus are generally acquired from contractors. In fact, for any service that is not critical to the organisation in the sense that it is not something that they will excel at, it is generally better to obtain the services from a specialist. In most cases the specialist is a contract. Companies have relatively high degree of control over both employees and contractors. When they do this, they shouldn't most if not all the risk of what these parties do. There are some exceptions. In the case of vicarious liability, criminal acts that require mens rea cannot be directly attributable to the company but are rather associated with the individuals responsible and the directors.

In the majority of cases, the company will usually owed or otherwise control the technologies and assets that the employees (and sometimes the contractors) utilise. In this case, the whole risk of the system remains with the company. For key systems this can make sense. As an example, it would not make sense for a manufacturing organisation to outsource the quality control systems within their own facility.

On the other hand, call centre, payroll, data facilities, telecommunications and even warehouse inventory control systems may not be within the general scope of what an organisation specialises in. In these cases, the outsourcing of these operations may be the most effective way to manage the risk associated with these functions.

There are a number of possible solutions to outsourcing. Some of these include:

Acquiring a turnkey solution that is commissioned in its entirety. In many cases the company will take over risk and acceptance or the latest at the end of the warranty period.

Using a variety of suppliers and vendors the source individual component pieces and then hiring systems integrators to install and run them. The company takes more upfront risk in this instance but can handle some of the ongoing risk to the outsourcing party.

The other option is to contract the entire operation to a specialised service provider. This has become common within IT and especially with the ASP models. In this instance, the outsourcer is responsible for acquiring all the equipment and expertise. In this instance the outsourcer has complete control of risk in the system. In this latter example the risk of non-performance remains. The company will have no control of and no risk in the technology itself however.

The important consideration in all of these instances is that not all risk can be transferred. In the case of financial reporting obligations, a failure on nonperformance by the outsourcer will leave the company vulnerable. Likewise, many other risks will not be transferred but will rather be shared between both the company and the outsourcer. In this instance insurance is important.

EscrowIt is necessary to protect against the risk the supplier will not deliver upon its promises. To do this, a company needs to ensure that escrow arrangements have been made. Escrow arrangements rely on a third-party those entrusted with the source code, drawings, plans, designs and other documentation necessary for the operation and maintenance of the system.

Escrow arrangements are enacted only in the event that the supplier fails.

InsuranceThere are many types of insurer will risks and just as many types of insurance to go with them. Some of many categories of insurance include:

professional services,

product insurance,

asset protection,

contract liability,

workers compensation,

intellectual property protection,

insurance against damage to property or injury to people,

litigation insurance, and

business interruption protection.

The key point to remember is that insurance does not remove risk but rather transfers selected instances of risk. It is important to always examine the insurance contract. Named parties and covered risks should be taken into account and always understand the exclusions that exist within the policy.